MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494
SHA3-384 hash:	3ce67894b6a012377b594e8636b9b5d42cd79e3e2ff20fa19b48d164bff92dcbe00e429d2530f9cc8946c08c3af7f490
SHA1 hash:	481c78406c41ac2ec578f43a9843eb283efc03e2
MD5 hash:	228d142c8c8d356aba381c12dd5bd72c
humanhash:	tennessee-artist-whiskey-double
File name:	SecuriteInfo.com.Trojan.GenericKD.45772039.21972.30569
Download:	download sample
File size:	1'486'336 bytes
First seen:	2021-03-11 14:47:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	40f13480de347a7e4964fbc840b60e7d
ssdeep	24576:PDGNkNlvfEOLfc4aqJziOuHbVCDUUgb/SbK0EoNUtvjbdq6l0gV6P4:xxfLWFzURbKSkjbwhgVr
Threatray	452 similar samples on MalwareBazaar
TLSH	CA658C22BE9E8837C07716348C5FA765653ABF103A24485BA7F40E0CDF757907D2A29B
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.GenericKD.45772039.21972.30569

Verdict:

No threats detected

Analysis date:

2021-03-11 15:08:54 UTC

Tags:

installer

Link:

https://app.any.run/tasks/482866bd-b212-49f1-9732-7cd2843d6a15

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123823/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

SecuriteInfo.com.Trojan.GenericKD.45772039.21972.30569.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Moving a file to the %temp% directory

Launching cmd.exe command interpreter

Creating a file

Changing a file

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/636788

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Hijacks the control flow in another process

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494/

Threat name:

Win32.Downloader.Penguish

Status:

Malicious

First seen:

2021-02-21 20:33:32 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

3/5

Verdict:

malicious

06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459

0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8

21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978

38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa

43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb

7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd

92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a

b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07

b7d74de8e9514ca3fbfa4676be4433069bc913f86953a79d40c6272d5077242c

+ 442 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210311-rj4t4pmeex/

Unpacked files

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/9bf14f6b-7a79-483b-a25a-71c548f879cd/

SH256 hash:

b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494

MD5 hash:

228d142c8c8d356aba381c12dd5bd72c

SHA1 hash:

481c78406c41ac2ec578f43a9843eb283efc03e2

Link:

https://www.unpac.me/results/9bf14f6b-7a79-483b-a25a-71c548f879cd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1061400/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/123823/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample